Sign up to our newsletter
In speeches yesterday, UK chancellor George Osborne didn’t just announce that the British government would be investing £1.9 billion to enhance its cybersecurity capabilities.
He also warned about the spectre of online terrorists attacking national infrastructure, and made some rather bold pronouncements about Britain’s willingness to engage in cyberwarfare to defend itself.
Perhaps predictably, many of the tabloid newspapers chose to run with that angle.
Speaking at GCHQ in Cheltenham, Osborne said that the United Kingdom reserved the right “to respond to a cyber attack in any way that we choose.”
Part of establishing deterrence will be building global norms, so that those who do not follow them can be called out, and shown to be acting outside the boundaries of acceptable behaviour.
And part of establishing deterrence will be making sure that whoever attacks us knows we are able to hit back.
We need to destroy the idea that there is impunity in cyberspace. We need those who would harm us to know that we will defend ourselves robustly. And that we have the means to do so.
This is the fifth element of the plan.
Thanks to the investment that we have made during the last Parliament, just as our adversaries can use a range of actions against us, from the virtual to the physical, so we are making sure that we can employ a full spectrum of actions in response.
We reserve the right to respond to a cyber attack in any way that we choose.
And we are ensuring that we have at our disposal the tools and capabilities we need to respond as we need to protect this nation, in cyberspace just as in the physical realm.
We are building our own offensive cyber capability – a dedicated ability to counter-attack in cyberspace.
This stance of bravado against internet attacks isn’t entirely new from British politicians.
In 2011, for instance, the then Home Secretary William Hague, told a tabloid newspaper that Britain was prepared to “strike first” against online enemies targeting government computer systems and critical infrastructure such as power plants and air traffic control systems.
But both Hague and Osborne have been disappointingly thin with details on just how Britain might launch strikes against internet attackers.
In fairness, that’s hardly surprising. It’s reasonable that one side doesn’t want to describe the tricks and tools it has up its sleeve to subvert the other. And there’s little likelihood that the spies at GCHQ are going to feel comfortable talking about it either.
But, if we accept that George Osborne is right that ISIS’s “murderous brutality has a strong digital element” that could see it attacking national infrastructure, what can be done to fight back?
Well, it feels to me like there are several options – including denial-of-service attacks to disrupt a combatant’s operations, targeted malware attacks to infect enemy devices and secretly spy upon their plans, and good old-fashioned interception of communications which – after all – is GCHQ’s stock in trade.
Things went a step further, and became more physical, earlier this year when a US drone strike killed British-born hacker Junaid Hussain, believed to be the leader of the notorious CyberCaliphate group, which had a history of defacing websites and hijacking social media accounts to spread pro-ISIS propaganda.
What links all of these tactics, however, is the very real possibility of collateral damage – of innocent people suffering due to poorly targeted or ill-considered counter-attacks. We all know how difficult it is to reliably attribute responsibility for a particular internet attack, and things become even more serious if you plan to launch your own attack either as revenge or even in a pre-emptory strike.
And, it has to be said, there’s a huge difference between seizing control of a poorly protected Twitter account and launching a serious attack against the UK’s national infrastructure.
Nonetheless, politicians want to be seen to be tough on terrorism in the wake of the Paris killings, and they believe that strong rhetoric is not going to do them any harm at all in the public’s eye.
The threats to our country in cyber space come from a range of places – from individual hackers, criminal gangs, terrorist groups and hostile powers.
To all of them I have a clear message.
We will defend ourselves. But we will also take the fight to you too.
We are increasingly confident in our ability to determine from where attacks come.
We are stepping up not just the means of defence, but also the means to ensure that attacks on Britain are not cost-free.
To those who believe that cyber attack can be done with impunity I say this: that impunity no longer exists.
It’s fighting talk from the British government. But what I am most interested to see is when the words become actions – and whether it will ever be seen to have a positive impact on online security for all of us.
Author Graham Cluley, We Live Security